Keeping track of tokens

When building a UI or application that potentially performs actions across different projects or even domains, there is a concern about how to keep track of the various tokens that get generated.

For example, a user may initially get an unscoped token, then get 3 different project scoped tokens from that token to perform various project specific operations.

What is a good practice to be able to perform the appropriate house keeping of these tokens? In the situation above, there are 4 tokens. In Horizon for example, which one gets DELETED when doing a sign out? What happens to the others?

In particular if PKI tokens are used, keeping those around may become problematic due to the size, if carried around through cookies.